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Abstract 

We present a second-order A-calculus with coercion constraints 
that generalizes a previous extension of System F with paramet¬ 
ric coercion abstractions by allowing multiple but simultaneous 
type and coercion abstractions, as well as recursive coercions and 
equi-recursive types. This enables a uniform presentation of several 
type system features that had previously been studied separately: 
type containment, bounded and instance-bounded polymorphism, 
which are already encodable with parametric coercion abstraction, 
and ML-style subtyping constraints. Our framework allows for a 
clear separation of language constructs with and without compu¬ 
tational content. We also distinguish coherent coercions that are 
fully erasable from potentially incoherent coercions that suspend 
the evaluation—and enable the encoding of GADTs. 

Technically, type coercions that witness subtyping relations be¬ 
tween types are replaced by a more expressive notion of typing co¬ 
ercions that witness subsumption relations between typings, e.g. 
pairs composed of a typing environment and a type. Our calcu¬ 
lus is equipped with full reduction that allows reduction under 
abstractions—but we also introduce a form of weak reduction as 
reduction cannot proceed under incoherent type abstractions. Type 
soundness is proved by adapting the step-indexed semantics tech¬ 
nique to full reduction, moving indices inside terms so as to control 
the reduction steps internally—but this is only detailed in the ex¬ 
tended version. 

Categories and Subject Descriptors D.3.1 [Programming Lan¬ 
guages] : Formal Definitions and Theory 

General Terms Design, Languages, Theory 

Keywords Type, Typings, Polymorphism, Coercion, Retyping 
functions, Type containment. Subtyping, Bounded polymorphism, 
Type constraints, System F, F-eta, GADTs, Step-Indexed seman¬ 
tics, Full reduction, Recursive coercions, Recursive types 

1. Introduction 

Type systems are syntactical languages to express properties and 
invariants of programs. Their objects are usually types, typing con¬ 
texts, and typing derivations. These can be interpreted as mathemat¬ 
ical objects or proofs. Typically, a typing judgment F h a : r can 
be interpreted as a proof that the term a is well-behaved and that 
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its computational behavior is approximated by the type r when the 
approximations of the behaviors of its free variables are given by 
the typing context T. The simply-typed A-calculus extended with 
constants such as pairs or integers to model the core of a real pro¬ 
gramming language is the simplest of all type systems. It is also 
somewhat canonical: it just contains one type construct for each 
related construct of the language: arrow types r —> o to classify 
functions, r x a to classify pairs, etc. and nothing else. Each type 
construct has a counter-part in terms and we may call them compu¬ 
tational types. 

Simply-typed A-calculus is however too restrictive and type sys¬ 
tems are usually extended with some form of polymorphism that 
allows an expression to have several types, or rather a type that 
stands for a whole collection of other types. Parametric polymor¬ 
phism, whose System F is the reference introduces polymorphic 
types V(a) r. A typing judgment r h a : V(a) r means that the 
program a has also type r[ a <— <r] ( i.e. r where a has been re¬ 
placed by a) for all types a. 

This operation, called type instantiation is in fact independent 
of the program a and can be captured as an auxiliary instantia¬ 
tion judgment V(a)r < r[a «— a\. This means that any term 
that has type V(a) r also has type r[a «— a\. Type instantiation 
is only a very specific form of some more general concept called 
type containment introduced by [Mitchell < (1988)) in System F who 
showed that this is equivalent to closing System F by ^-expansion 
(hence the name F^ for the resulting system). Type containment al¬ 
lows instantiation to be performed deeper inside terms (by contrast 
with System F where it remains superficial), following the struc¬ 
ture of types covariantly, or contravariantly on the left of arrow 
types. Type containment contains the germs of subtyping, which 
usually refers to a restriction of type containment that does not in¬ 
clude type instantiation as part of the subtyping relation, but in¬ 
stead injects primitive subtyping relations between constants such 
as int < float or primitive bottom and top types. The language 
F< ; proposed by |Cardelli et al.| fl994) is the system of reference 
for combining subtyping with polymorphism. Surprisingly, the lan¬ 
guages F, ? and F< : share the same underlying concepts but have in 
fact quite different flavors and are incomparable (no one is strictly 
more general than the other). For example, F< : has bounded quan¬ 
tification V(a < t)<j that allows to abstract over all types a that 
are a subtype of r, a concept not present in F,,. Although quite pow¬ 
erful, bounded quantification seems bridled and somewhat ad hoc 
as it allows for a unique an d upp er bound. 

The language MLF (Le Botlan and Remy] 2009) is another 
variant of System F that has been introduced for performing partial 
type inference while retaining principal types. It has similarities 
with both F< : and F,,, but introduces yet another notion, instance 
bounded quantification—or unique lower bounds. 

In some previous work (Cretin and Re my 2012), we intro¬ 
duced Ff, a language of type coercions with the ability to ab¬ 
stract over coercions, that can express F,, type containment, F< ; 
upper bounded polymorphism, and MLF instance-bounded poly- 











morphism, uniformly. Following a general and systematic approach 
to coercions lead to an expressive and modular design. However, 
F p still comes with a severe restriction: abstract coercions must be 
parametric in either their domain or their codomain, so that ab¬ 
stract coercions are coherent, i.e. their types are always inhabited 
by concrete coercions. This limitation is disappointing from both 
theoretical and practical view points. In practice, F p fails to give 
an account of subtyping constraints that are used for type inference 
with subtyping in ML. While in theory, subtyping constraints and 
second-order polymorphism are orthogonal concepts that should be 
easy to combine. 

Summary of our contributions In this work, we solve this prob¬ 
lem and present a language F cc that generalizes F, p (and thus sub¬ 
sumes F r; , F< : , and MLF) to also model subtyping constraints. Be¬ 
sides, F cc includes a general form of recursive coercions, from 
which we can recover powerful subtyping rules between equi- 
recursive types. As in our previous work, the language is equipped 
with a full reduction strategy, which also models reduction on open 
terms and provides stronger properties. We still permit a form of 
weak reduction on demand to model incoherent abstractions when 
needed, e.g. to encode GADTs. 

We also generalize type coercions to typing coercions which 
enables a much clearer separation between computational types 
and erasable types that are all treated as coercions. In particular, 
type abstraction becomes a coercion and distributivity rules become 
derivable. Another side contribution of our work which is however 
not detailed here by lack of space but can be found in the extended 
version, is an adaption of step-indexed semantics to full reduction 
strategies, moving indices inside terms. 

Plan The rest of the paper is organized as follows. We discuss a 
few important issues underlying the design of F cc in ^2] We present 
Fee formally in ^3j and state its properties in 0 We discuss the 
expressiveness of F cc in |5] and differences with our previous work 
and other related works as well as future works in 5j6] 

By lack of space, we have omitted many technical details and 
the whole proof of type soundness via step-indexed terms, which 
can be found in the extended version of this paper (Cret in and Remy| 
|20 1 4) and in the first author’s PhD dissertation ^Cretin|2014| chap 
5). The language F cc and its soundness and normalization proofs 
have been formalized and mechanically verified in CoqQ 

2. The design of F cc 

The language F cc is designed around the notion of erasable coer¬ 
cions. Strictly speaking erasable coercions should leave no trace 
in terms and not change the semantics of the underlying untyped 
A-term. When coercions are explicit and kept during reduction, as 
in Ff, one should show a bisimulation property between the calcu¬ 
lus with explicit coercions and terms of A-calculus after erasure of 
all coercions. However, since coercions do not have computational 
content, they may also be left implicit, as is the case in F cc . 

Some languages also use coercions with computational content. 
These are necessarily explicit and cannot be erased at runtime. 
They are of quite a different nature, so we restrict our study to 
erasable coercions. 

Still, erasability is subtle in the presence of coercion abstrac¬ 
tion, because one could easily abstract over nonsensical coercions, 
e.g. that could coerce any type into any other type. By default, these 
situations should be detected and rejected of course. We say that a 
coercion abstraction is coherent when the coercion type is inhab¬ 
ited and incoherent when it may be uninhabited. Notice that type 
abstraction in System F, bounded polymorphism in F< : , and in¬ 
stance bounded polymorphism in M LF are all coherent. 

1 Scripts are available at http: //gallium, inria.fr/~remy/coercions/ 


Coherent abstraction ensures that the body of the abstraction 
is meaningful—whenever well-typed. Hence, it makes sense to 
reduce the body of the abstraction before having a concrete value 
for the coercion— or equivalently to reduce open terms that contain 
coherent abstract coercions. 

Conversely, incoherent abstraction must freeze the evaluation 
of the body until it is specialized with a concrete coercion that pro¬ 
vides inhabitation evidence. Therefore, abstraction over incoher¬ 
ent coercions cannot be erased, even though coercions themselves 
carry no information and can be represented as the unit type value, 
as in FC (Weirich e t al,| 2011)—the internal language of Haskell 
whose coercion abstractions are (potentially) incoherent. 

Choosing a weak evaluation strategy as is eventually done in 
all programming languages does not solve the problem, but just 
sweeps it under the carpet: while type-soundness will hold, static 
type errors will be delayed until applications, and library functions 
that will never be applicable may still be written. 

Conversely, full reduction better exercises the typing rules: that 
is, type soundness for full reduction provides stronger guarantees. 
In our view, type systems should be designed to be sound for 
full reduction even if their reduction is eventually restricted to 
weak strategies for efficiency reasons. This is how programming 
languages based on System F or F< ; have been conceived, indeed. 

Therefore, F cc is equipped with full reduction as the default and 
this is a key aspect of our design which could otherwise have been 
much simpler but also less useful. 

However, we also permit abstraction over (potentially) incoher¬ 
ent coercions on demand, since this is needed to encode some form 
of dynamic typing, as can be found in programming languages with 
GADTs, for example. Indeed, GADTs allow to define parametric 
functions that are partial and whose body may only make sense for 
some but not all type instances. When accepting a value of a GADT 
as argument, the function may gain evidence that some type equal¬ 
ity holds and that the value is indeed in the domain of the function. 
We claim that incoherent abstraction should be used exactly when 
needed and no more. In particular, one should not make all abstrac¬ 
tions incoherent just because some of them must be. 

From explicit to implicit coercions Coherence is ensured in F/' 
by the parametricity restriction that limits abstraction to have a 
unique upper or lower bound. This also prevents abstract coercions 
from appearing in between the destructor and the constructor of a 
redex, a pattern of the form c(\(x : t') M) N (where c(-) is the 
application of a coercion) called a wedge , which could typically 
block the reduction of explicitly typed terms—therefore loosing the 
bisimulation with reduction of untyped terms. While the coherence 
of the abstract coercion c should make it safe to break c apart 
into two pieces, one attached to the argument N, the other one 
attached to the body M, this would require new forms of coercions, 
new reduction rules, and quite sophisticated typing rules to keep 
track of the relation between the residual of wedges after they have 
been split apart. Even though it should be feasible in principle, this 
approach seemed far too complicated in the general case to be of 
any practical use. 

Therefore our solution is to give up explicit coercions and leave 
them implicit. While this removes the problem of wedges at once, 
it also moves us away from a syntactic proof of type soundness. In¬ 
stead, type soundness in F cc is proved semantically by interpreting 
types as sets of terms and coercions as proofs of inclusion between 
types. 

Simultaneous coercion abstractions In order to relax the para¬ 
metricity restriction of F[‘ and allow coercions whose domain and 
range are simultaneously structured types, while preserving coher¬ 
ence, we permit multiple type abstractions to be introduced si¬ 
multaneously with all coercion abstractions that constrain them. 











Since coherence does not come by construction anymore, coher¬ 
ence proofs must be provided explicitly for each block of abstrac¬ 
tion as witnesses that the types of coercions are inhabited, i.e. that 
they can be at least instantiated once in the current environment. 

Grouping related abstractions allows to provide coherence 
proofs independently for every group of abstractions, and simul¬ 
taneously for every coercion in the same group. 

From type coercions to typing coercions A type coercion r > o 
is a proof that all programs of type r have also type cr in some en¬ 
vironment r. Pushing the idea of coercions further, typings (the 
pair of an environment and a type, written T h r) are them¬ 
selves approximations of program behaviors, which are also natu¬ 
rally ordered. Thus, we may consider syntactical objects, which we 
call typing coercions, to be interpreted as proofs of inclusions be¬ 
tween the interpretation of typings. By analogy with type coercions 
that witness a subtyping relation between types, typing coercions 
witness a relation between typings. This idea, which was already 
translucent in our previous work ( |Cretin and Remy|2012[ >, is now 
internalized. 

Interestingly, type generalization can be expressed as a typing 
coercion—but not as a type coercion: it turns a typing T, a h r 
into the typing T b V(a) r. This allows to replace what is usually 
a term typing rule by a coercion typing rule, with two benefits: su¬ 
perficially, it allows for a clearer separation of term constructs that 
are about computation from coercion constructs that do not have 
computational content (type abstraction and instantiation, subtyp¬ 
ing, etc.)\ more importantly, it makes type generalization automat¬ 
ically available anywhere a coercion can be used and, in particular, 
as parts of bigger coercions. An illustration of this benefit is that 
the distributivity rules (e.g. as found in F, ; ) are now derivable by 
composing type generalization, type instantiation, and ^-expansion 
(generalization of the subtyping rule for computational types). 

The advantage of using typing coercions is particularly striking 
in the fact that all erasable type system features studied in this paper 
can be expressed as coercions, so that computation and typing 
features are perfectly separated. 
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Figure 1. Syntax 
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Figure 2. Notations 
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Figure 3. Reduction relation 


3. Language definition 

3.1 The syntax and semantics of terms 

The syntax of the language is given in Figure[T] Because our calcu¬ 
lus is implicitly typed, its syntax is in essence that of the A-calculus 
extended with pairs. Terms contain variables x, abstractions Ax a, 
applications a b, pairs (a, b) , and projections a for z in {1,2}. 

Terms also contain two new constructs d a and a <£> called 
incoherent abstraction and incoherent application, respectively. The 
incoherent abstraction d a can be seen as a marker on the term a 
that freezes its evaluation, while the incoherent application a<0> 
allows evaluation of the frozen term a to be resumed. These two 
constructs enforce a form of weak reduction in a calculus where full 
reduction is the default. They are required to model GADTs, but 
removing them consistently everywhere preserves all the properties 
of F cc ; hence, one can always ignore them in a first reading of the 
paper. 

The reduction rules are given on Figure [5] We write a[x <— 6] 
for the capture avoiding substitution of the term b for the variable 
x in the term a, defined as usual. Head reduction is described by 
the /3-reduction rule RedApp, the projection rule RedProj, and Re- 
dIApp for unfreezing frozen computations. Reduction can be used 
under any evaluation context as described by Rule RedCtx. Evalu¬ 
ation contexts, written E, are defined on Figure[2] Since we choose 
a full reduction relation, all possible contexts are allowed—except 
reduction under incoherent abstractions: d [] is not an evaluation 
context. Notice that evaluation contexts contain a single node, since 
the context rule RedCtx can be applied recursively. 


The terms we are interested in are the sound ones, i.e. whose 
evaluation never produces an error. Errors are the subset of syn¬ 
tactically well-formed terms that “we don’t want to see” neither in 
source programs nor during their evaluation: an error is either im¬ 
mediate or occurring in an arbitrary context E (Figure [2}; imme¬ 
diate errors are potential redexes D [h] (applications of a destructor 
D to a constructor h) that are not valid redexes (the left-hand side 
of a head-reduction rule). Conversely, values are the irreducible 
terms that we expect as results of evaluation: they are prevalues, or 
constructors applied to values—except for incoherent abstractions 
which may be applied to arbitrary terms; prevalues are variables, 
or destructors applied to prevalues. Notice that the definition of er¬ 
rors is independent of the reduction strategy while the definition of 
values is not. This is why we prefer to state soundness as the fact 
that reduction never produces errors, avoiding the reference to the 
more fragile definition of values. (In particular, it becomes obvious 
that a restriction of the reduction strategy may only decrease the re¬ 
duction relation and therefore the set of errors that can be exposed 
during the reduction.) 

3.2 Types, kinds, propositions, and coercions 

We use types to approximate the behavior of terms, but types are 
themselves classified by kinds. So let us present kinds first. Al¬ 
though we do not have type functions, we need to manipulate tuples 
of types because several type variables and coercion constraints 
sometimes need to be introduced altogether. For the sake of sim¬ 
plicity and a slight increase in flexibility, we mix types, type se¬ 
quences, and constrained types into the same syntactical class of 
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Figure 4. Term typing rules 


types which are then classified by kinds. Kinds are written k. The 
star kind * classifies sets of terms, as usual. The unit kind 1 and the 
product kind k x k are used to classify the unit object and pairs of 
types, which combined together, may encode type sequences: for 
example, a type variable of kind Ki x K2 may stand for a pair of 
variables of kinds ki and K 2 . The constrained kind {a : k | P} re¬ 
stricts the set k to the elements a satisfying the proposition P. For 
instance, {a : * | [a o r]} is the set of types a that can be coerced 
to (e.g. are a subtype of) r —assuming that a is not free in r. 

Instead of having only proofs of inclusion between sets of terms, 
which we call coercions, we define a general notion of proposi¬ 
tions, written P. Propositions contain the true proposition T, con¬ 
junctions PAP, coercions [C], coherence propositions 3 k, and 
polymorphic propositions V(a : k) P. A coercion C can only be 
of the form (E h r) > a. When E is 0, we write r o a for 
(0 b r) o a and recover the usual notation for type coercions. A 
coercion can be used directly or seen as a proposition. We write [C] 
the use of the coercion C as a proposition. In a context T, the co¬ 
ercion (E P r) > a means the existence of a transformation from 
the typing T, E b r to the typing P b a. For example, when E is 
empty, a t> t means that a can be coerced to r (e.g. a is a subtype 
of r). 

The coherence proposition of the constrained kind {a : k | P}, 
namely 3 {a : k | P}, gives the usual existential proposition, 
because coherence corresponds to inhabitation and a type r is in 
the constrained kind {a : k | P} if it is in k and satisfies P. 

Types are described on Figure |T] They are written r or cr. They 
contain type variables a, arrow types t —> a, product types r x a, 
coherent polymorphic types V(a : k) r, incoherent polymorphic 
types n(a : k) t, recursive types par, the top type T, and the 
bottom type ±. 

Types also contain the unit object (), pairs of types (r, r), and 
projections m t to construct and project type sequences. We define 
the projections of pairs 7Ti (n, T 2 ) to be equal to the corresponding 
components Ti. Type equality is then closed by reflexivity, symme¬ 
try, transitivity, and congruence for all syntactical constructs. This 
defines equality judgments on types (ri = T2), kinds (ki = K2), 
and propositions (Pi = P 2 ), which are used in typing rules below. 
Notice that equality is never applied implicitly. 

We use environments to approximate the behavior of variables. 
The syntax of environments, written T, is described on Figure [T] 
Environments are lists of type binders (a : k) and term binders (x : 
t). We write E for environments that do not contain term bindings. 
We also use lists of propositions, written 0, called coinduction 
environments, to keep track of which propositions can be used 
coinductively. 

Let t be a type, a kind, a proposition, a typing environment, a 
sequence, or a set of such objects. We write fv(t) the set of free 
variables of t, defined in the obvious way, and t[a «— r] for the 
capture avoiding substitution of r for the variable a in t. All objects 
t are taken up to a-conversion of their bound variables. 

We assume that environments are well-scoped. That is, T, (a; : 
r) can only be formed when x dom(P) and fv(r) C dom(r); 
and F, (a : k) can only be formed when a dom(r) and 
fv(«) C dom(r). Similarly, T; 0 requires fv(0) C dom(r). 


3.3 Typing judgments 

Types, kinds, and propositions are recursively defined and so are 
their typing judgments. We actually have the following judgments, 
all but the term judgment being recursively defined: 
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We assume that judgments are always well-scoped: free variables 
of objects appearing on the right of the turnstile must be bound in 
the typing environment T. As usual, the environment T may not 
bind (type or term) variable twice, so that it can be considered as a 
partial mapping from type variables to kinds and term variables to 
types. 

Auxiliary judgments The main judgments are for terms, propo¬ 
sitions, and coercions. Others are auxiliary judgments and we de¬ 
scribe them first. 

The kind judgment Y b k states that the kind k is coherent rela¬ 
tively to the environment F. This judgment is actually equivalent to 
the proposition judgment T h 3 k that will be explained below. The 
environment coherence judgment r b E checks that every kind ap¬ 
pearing in E is coherent in the environment that precedes it. It is 
defined by the two rules: 

ri-E r.si-K 
r 1 - 0 - 1 - 

r b E, (a : k) 

Kind and proposition well-formedness are recursively scanning 
their subexpressions for all occurrences of coercion propositions 
[(E b t) C> a] to ensure that E, r, and a are well-typed, as 
described by the following rule: 

WfpCoer 

rhE r, E h r : * r h cr : * 

T Ih [(E 1 - r) 0 a] 

Well-formedness judgements ■ lb ■ recursively check well-formedness 
of their subcomponents. See the extended version for the complete 
description of well-formedness rules. We write lb T for 0 lb T. 

The type judgment T b r : k is defined in Figure [5] but we 
only present the most interesting rules. Rule TypePack is used to 
turn a type r of kind k satisfying a proposition P into a type of 
the constrained kind {a : k | P}. Conversely, TypeUnpack turns 
back a type of the constrained kind {a : k | P} into one of kind k, 
unconditionally. TypeMu allows to build the recursive type fia t, 
which can be formed whenever r is productive as stated by the 
judgment a 1 —> t : wf. Other rules are omitted by lack of space. 

Extraction property Typing rules are defined so that some invari¬ 
ants hold, such as well-formedness or well-kindedness of subcom¬ 
ponents. Therefore, there are immediate lemmas called extraction 
lemmas that state these invariants. 

• Terms: If T b a : r and lb T hold, then P b r : * holds. 

• Types: If T b r : k and lb T hold, then T lb k holds. 
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Figure 5. Type judgment relation (excerpt) 


• Propositions: If T; 0 h P, IP F, and F IF 0 hold, then r lb P 
holds. 

• Coercions: If F; 0 h (E b r) o tr, lb T, and r lb 0 hold, then 
r h E holds; moreover if T, E b r : * additionally holds, then 
r h cr : * holds too. 

These invariants also help understanding the typing rules. 

Term typing rules Following the tradition, we write T b a : r 
to mean that in environment T the term a has type r. However, we 
would also like to write this as a : T b r and read it the term a has 
the typing T h r, that is, a is approximated by the type r whenever 
its free variables are in the approximations described by T. We will 
keep the standard notation to avoid confusion, but we will read the 
judgment as above when helpful. 

Term typing rules are given on Figure [4] Observe that the 
first five rules are exactly the typing rules of the simply-typed A- 
calculus. 

The last two rules are for incoherent abstraction and application 
(they could be skipped at first): Rule TermBlock says that the 
program d a whose evaluation is frozen may be typed with the 
incoherent polymorphic type n(a : re) t if a can be typed with 
t in an extended context that assigns a well-formed kind re to a. 
Notice that F lb re, as opposed to F b re, does not imply that the 
kind re is coherent, but only that it is well-formed under T. Rule 
TermUnblock is the counterpart of TermBlock. If we have a 
term a of an incoherent polymorphic type n(a : re) t, i.e. whose 
evaluation has been frozen and a type a of kind re, we know that 
the kind re is inhabited by a. Therefore, we may safely unfreeze a 
and give it the type r[a «— a]. 

Rule TermCoer is at the heart of our approach which delegates 
most of the logic of typing to the existence of appropriate typing 
coercions. The rule reads as follows: if a term a admits the typing 
T, E b r and there exists a coercion from r to o introducing 
E under F, which we write F b (E b r) o a, then the term 
a also admits the typing F b a. The presence of E allows the 
coercion to manipulate the typing context as well as the type, which 
is the reason for our generalization from type coercions to typing 
coercions. When E is 0, the rule looks more familiar and resembles 
the usual subtyping rule: if a term a has type r under T and there 
exists a coercion from the type t to the type o under F (which is 
written T b r t> a), then the term a has also type o under F. 

This factorization of all rules but those of the simply-typed A- 
calculus under one unique rule, namely TermCoer, emphasizes 
that coercions are only decorations for terms. Rule TermCoer 
annotates the term a to change its typing without changing its 
computational content, as the resulting term is a itself. This is only 
made possible by using typing coercions instead of type coercions. 

The judgment F b (E b r) > a is in fact an abbreviation for 
the coercion judgment F;0 b (E b r) t> tr when 0 is 0. 

Propositions typing judgment The proposition judgment is de¬ 
fined in Figure [6] As for coercions, we abbreviate F; 0 b P as 
T b P when 0 is 0. The proposition environment © contains ad¬ 
ditional hypotheses that can be used coinductively when proving 
that a coercion holds. 

The proposition [(E b r) O a] is a particular proposition P 
stating the existence of a typing coercion from r to <r introducing E. 
As described by Rule PropCoer, to be used as a proposition, a 
coercion must first be typed as such F; 0 b (E b r) t> o, which 


will be explained below, and also satisfy the additional hypothesis 
r,E b r : This ensures a stronger invariant for propositions than 
for coercions. As a counterpart, the missing hypothesis is required 
in (the second clause of) the extaction lemma for the coercion 
judgment—but it will always be satisfied in the use of coercions 
in rule TermCoer, as explained further. 

Rule PropEq allows the use of type equality. Rule PropVar 
allows the use of a coinductive hypothesis P in 0. This is written 
P 1 ^ £ 0 because propositions that are guarded are marked ' in 0 
and only those are safe to use coinductively. 

In particular, rule PropFix which we do not usually find in type 
systems allows to prove a proposition by coinduction: if P is true 
assuming P in the unguarded coinduction environment, then P is 
true without this additional hypothesis. Coinductive propositions 
are introduced as unguarded so that they cannot be used directly, 
which would be ill-founded. Only some of the coercion rules (de¬ 
scribed below) may guard coinduction. The usual rules about re¬ 
cursive types that can be found in other type systems are admissible 
from the PropFix rule (see Section|33J. 

Rules PropTrue, PropAndPair, and PropAndProj are unin¬ 
teresting. Rule PropForIntro and PropForElim are unsurprising. 
Rule PropExi allows to embed the coherence of a kind re, i . e . the 
existence of a type inhabitant of kind re as the proposition 3 re. Rule 
PropRes allows to extract a proposition from a type r of a con¬ 
strained kind {a : re | P}, replacing the variable a of kind re by the 
witness r of kind re. 


Coercions We now explain typing rules for coercion proposi¬ 
tions. We may ignore the environment 0 in most cases, as it is 
just unused or transferred to the premises unchanged, except for 
the three ^-expansion rules that mark the environment as guarded 
0^ in their premises, therefore allowing coinductive uses of propo¬ 
sitions 0 via Rule PropFix. These are the rules that decompose 
computational types that have a counterpart in terms, namely Co- 
erArr, CoerProd, and CoerPi. 

We now explain coercion rules ignoring 0. Intuitively, the judg¬ 
ment T b (E b t) t> tr implies that any term that admits the typing 
T.E b t also admits the typing F b <r. (The converse is not true 
as the coercion typing judgment is semantically incomplete.) One 
could expect this judgment to be of the form (T, E b r) > (F b a), 
or even (Fi h n) l> (r 2 b ra). However, in our notation, E de¬ 
scribes environment actions under T in a compositional manner that 
eventually permits to go from Ti to T 2 . 

Rule CoerProp is the counter-part of Rule PropCoer, but we 
do not need additional hypotheses here—since the proposition 
judgment is stronger than the coercion judgment. 

Other coercion typing rules can be understood under the light 
of Rule TermCoer. In particular, the judgment F b (E b r) > a 
is meant to be used when some judgment F, E b- a : t holds, 
which by extraction implies that T, E h r : * Thus, coercions 
T b (E h r) > cr need not assume that T, E h r : * holds. 
However, whenever this is the case, they should then ensure that 
T b o : * holds, as stated by the extraction lemma for coercions. 

This explains the difference between Rule CoerBot which does 
not have any premisse and Rule CoerTop, which need one. Other¬ 
wise, those two rules are standard and just close the coercion rela¬ 
tion with extrema. For any typing F b r, there is a smaller typing, 
namely F b 1, and a bigger typing, namely fbT. 
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Figure 6. Proposition judgment relation 


Rules CoerRefl and CoerTrans close the coercion relation by 
reflexivity and transitivity. To understand CoerTrans let’s take a 
term a with typing F,E 2 ,Ei h n. Applying Rule TermCoer 
with the second premise of Rule TermTrans ensures that the term 
a admits the typing T, E 2 h r 2 . Applying Rule TermCoer again 
with the first premise of Rule TermTrans, ensures that a admits 
the typing T h T3 as if we have applied Rule TermCoer to the 
original typing of a with the conclusion of Rule CoerTrans. 

The Rule CoerWeak implements a form of weakening. It tells 
that if any term of typing F, E h r can be seen as V h cr, then any 
term of typing Phr can also be seen as T h cr. Since weakening 
holds for term judgments, we can do the following reasoning to 
justify this rule. Assuming that the premise T, E h r holds, we 
argue that the conclusion should also hold; indeed, a term that 
admits the typing F h r also admits the typing P, E h r by 
weakening; therefore, by the premise of Rule CoerWeak, it must 
also have typing P h cr. However, this reasoning is mathematical 
and based on our interpretation of coercions: Rule CoerWeak is 
required as it would not be derivable from other rules—not even 
admissible—if we removed it from the definition. Notice that this 
is the only rule that removes binders. 

The rules CoerProd, CoerArr, and CoerPi close the coercion 
relation by 77 -expansion, which is the main feature of subtyping. 
Here, 77 -expansion is generalized to typing coercions instead of 
type coercions. The 77 -expansion rules describe how the coercion 
relation goes under computational type constructors, i.e. those of 
the simply-typed A-calculus. 

Intuitively, 77 -expansion rules can be understood by decorating 
the 77 -expansion context with coercions at their respective type 
constructor. These coercions are erasable because the 77 -expansion 
of a term has the same computational behavior as the term itself. 

For example, consider the 77 -expansion context for the arrow 
type Ae ([] x). Placing a term with typing T, E h r' —> a' in the 
hole, we may give As ([] x) the typing r h r —► <r provided a 
coercion of type T, E h r > r' is applied around x. The result of 
the application has typing F, E h a' which can in turn be coerced to 
T h a if there exists a coercion of type T h (Eh cr')> < 7 . Thus, the 
77 -expansion has typing T h r —> cr. While the coercion applied to 
the result of the application may bind variables E for the hole (and 
the argument), the coercion applied to the variable x needs not bind 
variables, since the variable x could not use them anyway. Notice 
that the first premise is there to preserve the extraction lemma for 
coercions. 

Rules CoerGen and CoerInst implement the main feature of 
the language, namely simultaneous coherent coercion abstractions. 
Intuitively, Rule CoerGen combines several type and coercion 
abstractions. This is however transparent in rule CoerGen since 
the simultaneous abstractions are grouped in the kind re. Hence, this 
rule looks like a standard generalization rule. The only key here is 
the premise that requires the kind to be coherent. The coherence 
hypothesis is necessary for type soundness. Otherwise, it would 
be possible to type unsound programs by abstracting over some 
uninhabited kind re, such as {a : * [(a —► a) > (a x a)]}. 

Notice that CoerGen is the only rule using typing coercions in a 


crucial way and that could not be presented as a coercion if we just 
had type coercions. Rule CoerInst is the counter part of CoerGen: 
it instantiates the abstraction by a type of the right kind. 

Rule CoerPi is an 77 -expansion rule and should be understood 
by typing the 77 -expansion of the incoherent polymorphic type 
d ([] 0 ), inserting a coercion around the incoherent application. 
Placing a term with typing F, E h n(a/ : re') r' in the hole, 
we may first apply weakening to get a typing of the form F, (a : 
re), E h n(c/ : re') t' . By instantiation (Rule TermInst), we get a 
typing F, (a : re), E h t'[c/ 4 — a'] provided T, (a : re), E h a' : 
re'. Applying a coercion (E h r'[a' 4— cr']) > r (Rule TermCoer), 
we obtain the typing F, (a : re) h r, which we may generalize 
(Rule TermGen) to obtain the typing T h n(a? : re) r of d ([] <C>). 
Notice that, by contrast with Rule CoerGen, we do not require 
coherence for the kind re, but just its well-formedness. The reason 
is that this is a term typing rule that blocks the evaluation. However, 
we require the coherence of the type environment extension E 
under T. This is a very important premise because we do not want 
the incoherence of re to leak in E and thus under the coercion, 
because 77 -expansions are coercions and thus erasable. 

Interestingly, the 77 -expansion rules for erasable type construc¬ 
tors are derivable as their introduction and elimination rules are 
already coercions. For example, consider this simple version of 77 - 
expansion for the universal quantifier: 

CoerAll 

r h re r, (a : re); ©hr>a 

T; 0 h V(a : re) r > V(a : re) cr 

Let (1) and (2) be the left and right premises. We have T, (a : 
re) h a : re (3) by TypeVar. By CoerInst applied to (3) we have 
r, (a : re); 0 F V(a : re) t t> r (4). By CoerGen applied to (1) 
we have T; 0 h ((a : re) h a) t> V(a : re) a (5). By CoerTrans 
applied twice to (4), (2), and then (5) we have T; 0 h ((a : re) h 
V(a? : re) t) > V(a : re) cr, from which we may conclude by Rule 
CoerWeak. 

Similarly, rules for distributing universal types over arrow 
(CoerDistribRight) and product types are also derivable: 

CoerDistribRight 

r h re T h r : * 

T; 0 h V(a : re) (r —7- a) > r —> V(a : re) a 

Rules CoerFold and CoerUnfold are the usual folding and 
unfolding of recursive types, which give the equivalence between 
7 1 a r and r[a 4 — fia r]. Remarkably, the usual rules for reasoning 
on recursive types ( [Amadio and Cardellif 1993 [ 1 are admissible using 
PropFix (we write 7 ~i 0 r 2 for [n > r 2 J A |r 2 > n]): 

CoerPeriod 

a 1—> a . wf coerEtaMu 

T; 0 h (Ti <t> a[a 4 — Ti]y e '- 1 ’ 2 ' F, (a, /3 ); 0 h r > a 

T;0 h ri t>r 2 T;0 h fia t > 7 u /3 a 

Interestingly, the proof for CoerPeriod requires reinforcement of 
the coinduction hypothesis since we need n <t> t 2 and not just 
[ti > r 2 ] in the coinduction hypothesis. 
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Figure 7. Coercion judgment relation 
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Figure 8 . Well-foundedness judgment relation 


Finally, the well-foundedness judgment, written a 1 —> t : 
X, means that a 1 —> r is well-founded when x is w f or non_ 
expansive when x is ne - The rules are unsurprising. The most 
interesting ones are RecArr, RecProd, and RecPi which ensure 
well-foundedness provided the components are themselves non- 
expansive. Conversely, rules RecFor and RecMu just transfer both 
well-foundedness and non-expansiveness from their components. 
For polymorphic types, the abstract variable should not appear in 
its bound to ensure well-foundedness or non-expansiveness. Of 
course, recursive types can only be well-formed if they are well 
founded (left premise of RecMu). 


4. Properties 

System F cc is sound: erroneous terms never appear during the evalu¬ 
ation of well-typed programs. Moreover, in the absence of recursive 
types and coinduction, all reduction paths terminate. Finally, in the 
absence of incoherent abstraction, the reduction is confluent. 

We loose confluence in the presence of incoherent abstraction, 
since a partially evaluated term a may be substituted under an inco¬ 
herent abstraction, after which further reductions won't be permit¬ 
ted inside a. This is a well-known problem when mixing full and 
weak reduction strategies with also a well-known solution l |Levy| 
and Maranget 1999): confluence can easily be restored by using 
explicit substitutions to hold the substitution at the entry of an in¬ 
coherent abstraction until the abstraction is applied and evaluation 
may be resumed. A variant of this solution in the spirit of the work 
of jBlanc et al.| < |2005] ) is to add in the language an incoherent weak¬ 
ening construct to cancel the freezing effect of the incoherent ab¬ 
straction: reduction could still be performed in the weakened part 
of the incoherent abstraction. This avoids explicit substitutions, but 
complicates reduction contexts that have to look under incoherent 
abstractions for occurrences of incoherent weakenings. 


Subject reduction is also lost in F cc —although the language is 
sound. This is just the consequence of our decision to move from 
an explicit calculus of coercions to implicit coercions. The type 
system is just not rich enough to track after reduction the invariants 
that can be expressed by coercions on source programs, typically 
when coercions are used in wedges. (This issue is further discussed 
in 36 . 1 1 ) 

The language F cc has been formalized in Coq and its properties 
have been mechanically verifiecj^] 

5. Expressiveness 

The language F cc is more expressive than Ff: apart from the change 
of presentation, moving from type coercions to typing coercions 
and from explicit coercions to implicit coercions, the only signifi¬ 
cant change is for type and coercion abstraction: the new construct 
of F cc which by design generalizes the two forms of coercion ab¬ 
straction in F, p . Indeed, we can choose ± (resp. T) to witness co¬ 
ercions that are parametric in their domain (resp. range). Therefore 
the languages F< ; , M1_F, and F, ; which are subsumed by F t p can also 
be seen as sublanguages of F cc . 

5.1 Encoding subtyping constraints 


We claim that languages with M L-like subtyping constraints (|Oder-| 


[sky et al. 1999, 

Pottier 

1996 ) can be simulated in F cc . Following the 

presentation of 

Pottier 

(19961, term judgments with subtyping con- 


straints may be written Are : r \ C where A is the environment, 
e the expression, r its type, and C is a sequence of subtyping con¬ 
straints. 


To ease the embedding of subtyping constraints in F cc , we 
slightly abuse of notations. First, we see let-bindings as the usual 
syntactic sugar for redexes. We write a for a sequence of variables 
ot\ . . ,a n where n is left implicit. Given a sequence of variables 
a, we see at as a.i, the i’th projection of a. We write (a | P) as a 
shorthand for the type binding (a : {a : * n \ P}) where n is the 
size of a. Finally, we see constraint type schemes Va.C => t as 
the coherent polymorphic type V(a | C) r. 

A term judgment A P e : r | C can then be seen as the F cc 
judgment (a | C), A h e : r where a are free variables of A, C, 
and t. Notice that the environment in the translation of judgments 
is always of the form ( a \ C),A composed of a single abstraction 
block (a | C ) followed by term bindings A. 

Type systems with subtyping constraints use two notions, solv¬ 
ability and consistency, that coincide in ML. Solvability means that 
one can find a ground instance for type variables that solves the 


2 See http: //gallium, inria.fr/~remy/coercions/ for details. 





































constraints. Consistency means that the transitive and congruence 
closure of the set of constraints does not contain inconsistencies. 

We claim that solvability of a set of constraints C implies the 
coherence of the translation of C, since it amounts to exhibit type 
witnesses such that the constraints hold. These witnesses lie in a 
syntax with simple types and recursive types. Moreover, since solv¬ 
ability is equivalent to consistency, we conclude that consistency is 
equivalent to coherence. 

The two interesting typing judgments for subtyping constraints 
are for let-binding and subsumption. These are as follows and are 
admissible in F cc : 

aha a h C' [/? i — a ] 

(a I C), r, (x : V(/3, C')t) hb-.p («J|C'),rha:r 
in C),V iXr h ) a : p 

(a \C),Vha-.T (a \ C 1 ) h C A r > a 
(a | C'),T h a : a 

However, there remain two differences with the way subtyping 
constraints are usually handled. A judgment A h e : r | C 
is valid when C is consistent while our corresponding judgment 
(fv(A,C, r) | C),A h e : r is valid when C is solvable, i.e. 
h (fv(C) | C ), which must exhibit a substitution 0 of domain 
fv(C) such that 0 h C9. While consistency and solvability coin¬ 
cide in M L with subtyping constraints, this need not be the case. 
Consistency is a semantic property while solvability is a syntac¬ 
tic property. Using consistency instead of solvability, we only have 
to verify a property of the constraints without having to exhibit a 
concrete solution. Consistency is more flexible than solvability. In 
practice, it can also be checked more modularly. 

We already have some flexibility to reason about coherence 
in F cc using propositions and assumptions in the typing context. 
However, constraint entailment differs in both systems. In partic¬ 
ular, we cannot express the decomposition of typing constrains, 
e.g. deduce the consistency of a > a' from the consistency of 
t — > a > t — > a', as is the case with subtyping constraints. 

The reason is that subtyping constraints are syntactic and taken 
in a closed-world view: subtyping relations that cannot be ex¬ 
pressed syntactically do not hold, which can be used to reinforce 
constraint entailment. Our approach in F cc is semantic and syntac¬ 
tic coercions must be interpreted in the semantics. Since our seman¬ 
tics has more types and coercions than the syntax allows to build, 
some reasoning principles that would be true from a purely syntac¬ 
tic point of view will not hold in our semantics and thus cannot be 
added in the syntax. We are bound to an open-world view. Still, it 
would be interesting to see how our approach could be extended 
to allow a form of closed world view and express some negative 
information. 

5.2 Encoding GADTs 

Incoherent polymorphism is necessary for features that contain 
some form of dynamic typing, such as GADTs. It may also be a 
simplification for the programmer that does not have to provide 
the witness type that proves the coherence—but at his own risk of 
delaying type errors. 

In this subsection we show how GADTs can be encoded with 
incoherent polymorphism and also how coherence and incoherent 
polymorphism can be interestingly mixed. 

Incoherent polymorphism permits type abstraction for any well- 
formed kind: inhabited kinds, potentially inhabited kinds, and 
empty kinds. In the polymorphic type n(a : k ) t, the coherence 
of kind k may depend on some type variable /3 of the type environ¬ 
ment. Depending on how {3 is instantiated, the kind k may or may 
not be inhabited. 


Before we give a concrete example, let us first introduce existen¬ 
tial types by their CPS encoding. Because we have two notions of 
polymorphism, coherent and incoherent, we also have two notions 
of existential types: we write 3 (a : k) t for coherent existential 
types and E(a : k) t for incoherent existential type^] defined as 
follows. 

coherent: 3(a : k)t = V/3 (V(a : k ) (r -A /3)) —> /3 

incoherent: E(a : k)t = V/3 (n(a : k) (t —> /3)) —> /3 

We define the pack and unpack term syntactic sugar for the 
coherent existential, and ipack and iunpack for their incoherent 
version. Notice that the body of the iunpack sugar is hidden under 
an incoherent type abstraction, and as such is allowed to be unsound 
because it cannot be reduced. 

pack a = kx x a unpack a asx in b = f a (A® fo) 

ipack a = kx x <C> a iunpack aasx\r\b = a (d kx b) 

Let’s assume we have type-level functions and sum types. We 
can now define the following GADT, named Term, and with kind 
* —> * (where r <t> a stands for [r O a] A [cr > r] as above): 

Term a = E(/? : * x * | a <t> (7Ti /3 — > 7r 2 /3)) a 

+ 3/3 Term (/3 — > a) x Term /3 

This GADT is the sum of an incoherent existential type and a 
coherent one. The incoherent existential type requires a to be an 
arrow type and stores a term of such type; it also names m (3 the 
argument type and 7T2 /3 its return type. The coherent existential 
type adds no constraint on a but stores a pair such that its first 
component applied to its second component is of type a; it names /3 
the intermediate type. The Term GADT contains two constructors: 
one for the left-hand side of the sum injecting functions and one 
for the right-hand side of the sum freezing function applications. 
We can define its two constructors in the following manner: 

Lama; = inI (ipacka;) 

: VaV/3 (a — > f3) — > Term (a —> /3) 

Appyx = inr (pack (y, x)) 

: Va V/3Term (a — > (3) — > Term a — > Term f3 

We can now define a recursive eval function taking a term of type 
Term a and returning a term of type a for all type variable a. Said 
otherwise, eval has type Va (Term a —> a). When the argument 
is on the left-hand side of the sum, eval simply unpacks it and 
returns it. When the argument is on the right-hand side of the sum, 
eval first unpacks it as a pair and applies the evaluation of the first 
component to the evaluation of the second component. We thus use 
the incoherent version of unpacking on the left-hand side and the 
coherent version on the right-hand side. 

eval x = case x of 
{ inlxi i—^ iunpack as y in y 

| inra ;2 i-»- unpacks^ as y in (eval (wi y)) (eval (7T2 y))} 

Let’s now suppose that we call eval with a term of type Term (r x 
a). This term is necessarily from the right-hand side of the sum 
because r x u cannot be equivalent to an arrow type by consistency. 
However, in the first branch, in the body of the inconsistent unpack, 
we have access to the proposition t x a o ni /3 —> tt 2 f3 which 
is inconsistent. This sort of inconsistency in some branches of case 
expressions is frequent with GADTs. Notice however, that we can 
reduce the second branch because we used a coherent existential 
type since there is a witness for /3 for any instantiation of a. 


3 E here is a binder and has of course no connection with E used as typing 
environments. 







6. Discussion 

We first compare F cc with our prior work and other related works; 
we then discuss language extensions and future works. 

Our version of F cc slightly differs from the original presenta¬ 
tion (Creti n|2014) that has been mechanically formalized, but these 
are purely notational differences, such as merging type and term 
bindings into a single typing environment. 


6.1 Comparison with F p 

The closest work is of course our previous work on F p of which 
F cc is an extension. The main improvement in F cc is the ability to 
abstract other arbitrary constrains, but the price to pay is to pro¬ 
vide coercion witnesses to ensure the coherence. Notice however, 
that terms of F, p are not affected, since their coherence comes by 
construction and thus has trivial witnesses. 

Coherence is sufficient for type soundness, but in an explicit lan¬ 
guage of coercions it does not suffice for subject reduction, which 
also requires that the language has a rich syntactic representation 
to keep track during the reduction of invariants expressed by coer¬ 
cions. Our approach in F cc is to avoid the need for decomposing ab¬ 
stract coercions into smaller ones by presenting an implicit version 
of the language. This also avoids introducing new coercion con¬ 
structs in the language and their associated typing rules—which 
we failed to prove to be sound by syntactic means in an explicit 
language of coercions. 

Therefore, moving from F p to F cc has a cost—the lost of an 
explicit calculus of coercions with subject reduction. Of course, 
one can still introduce explicit syntax for coercion typing rules 
in the source so as to ease type checking, but terms with explicit 
coercions will not have reduction rules in F cc . 

An interesting question is whether there are interesting lan¬ 
guages between F p and F cc that would still have a (relatively sim¬ 
ple) calculus of explicit coercions. If we restrict to certain forms 
of coercions, instead of general coercions, the question of coher¬ 
ence may be much simpler. For example, one could just consider 
equality coercions as in the language FC jWeirich et al.|20lT) . 

In Fee, we simultaneously abstract over a group of type vari¬ 
ables and coercions that constrain those variables. The choice of 
grouping must be such that the group is coherent for all possible 
instantiations of variables in the context. 

We have also explored a syntactically more atomic version of 
Fee where type and coercion abstraction are separate constructs as 
in F t (Cretin and Remy 2012). Namely, the usual type abstraction 
V(«) r and coercion abstraction (n > rf) => cr—a term of type 
a under the hypothesis that t\ t> T 2 holds. For instance, this would 
permit to write a function of type V(a) ( a —> (ti > rf) =f- a) and 
apply it to a type parameter, then to a value of type a, and finally to 
a coercion. However, this additional flexibility is negligible, these 
are just 77 -expansion variants of terms in F cc . Moreover, related type 
abstractions and coercions should still be checked simultaneously. 
That is, even if the arguments are passed separately, the typing 
derivation must maintain a notion of grouping underneath so as to 
check for coherence. The solution in F cc seems a better compromise 
between simplicity and expressiveness. 


6.2 Comparison with other works 

To the best of our knowledge there is no previous work considering 
erasable typing coercions. Although the typing coercion (E h 
r) t> o may be simulated as the type coercion (V(E) r) t> a, 
there remain two important differences: first, this syntactical play 
cannot explain type and coercion generalization, and therefore, a 
type generalization typing rule must still be present at the term 
level to go from T, E h r to T h V(E) r. Second, coercion rules 
such as transitivity and 77 -expansion rules are more natural when 
presented as typing coercions, since the type transformation and 


the environment extension of coercions are presented in parallel, 
while these two tranformations are confused when presented as 
type coercions. 

Some languages such as Coq or Matita enable instantiation or 
generalization as coercions (the output type is not polymorphic type 
while the input type is, or reciprocally), but these are non-erasable 
coercions that drive the meaning of the underlying program ) |Coen| 
|and Tassi|2009| >. 

The use of type coercions to study features of type system is 
not at all new. Coercions have also been used in the context of 
subtyping, but without the notion of abstraction over coercions. 

The heavy use of coercions in FC l |Weirich et al.|20lT) , the core 
language of GHC, was one of our initial motivations for studying 
coercions in a general setting. In FC, only toplevel coercion axioms 
coming from type families and newtypes are checked for consis¬ 
tency. Local coercion abstractions are not. This is safe because all 
coercion abstractions in FC freeze the evaluation. This simplifies 
the meta-theory but at some significant cost, since the evaluation 
must be delayed to never reduce in a potentially inconsistent con¬ 
text. Our inconsistent coercions largely coincide to—and was in¬ 
spired by coercions in FC. In return, F cc offers the ability to choose 
between coherent and incoherent coercion abstractions so that co¬ 
herent coercions could be expressed as such and thus not freeze the 
evaluation and still bring more static guarantees to the user. While 
F cc treats coercions in the general case, FC considers only a very 
specific case of equality constraints—with additional restrictions— 
so that e.g. coherence of toplevel coercions axioms can be checked 
automatically. 

Coercions have also been used to eliminate function call over¬ 
head from datatype constructors fVanderwaart et al.|2003| ): the fold¬ 
ing and unfolding of datatype definitions are done using erasable 
coercions, thus with no run-time effect or hidden cost while pre¬ 
serving the semantics. 

Recursive coercions have also been used to provide coercion 
iterators over recursive structures by Crary] ( j2000| ). However, the 
motivations are quite different and coercions are only used as a tool 
to compile bounded quantification away into intersection types. 

6.3 Variations 

Kind coherence and well-formedness Kind coherence is ex¬ 
pressed by the judgment Thu: which ensures that all coercions 
contained in k as propositions are also coherent, i.e. intuitively, 
that they are inhabited whenever their typing context is inhabited. 
This judgment play a key role in our system. In particular, it is 
essential in rule CoerGen that the kind of the universal variable be 
coherence to prevent (erasable) type abstraction of an incoherent 
kind which would allow typing arbitrary programs, hence some 
erroneous ones. 

However, we also require coherence of all typing contexts in¬ 
troduced by coercions as shown by rule WfPCoer (§ |3.3fr . This 
is convenient, because we can then assume this coherence when¬ 
ever we need it. However, this is also odd, because coherence is a 
semantics issue that we should rather not require globally during 
well-formedness but only as needed in premises of some typing 
rules. Besides, this forces all hut the term judgment (thus including 
well-formedness judgments) to be recursively defined. An alterna¬ 
tive presentation is also being investigated. 

A surface language with explicit non-reducible coercions When 
coercions are left implicit they must be inferred—as well as coer¬ 
cion witnesses, which is obviously undecidable in the general case. 
(Typechecking in F,, or in the most expressive variant of F< ; are 
already undecidable.) In practice, the user should provide both of 
them explicitly—or at least provide sufficient information so that 
they can be inferred. Hence, a surface language would have ex¬ 
plicit coercions just for typing purposes—and coercions should be 



















dropped after typechecking. Indeed, in the general case, we do not 
know how to reduce coercions and, in particular, wedges in a type 
sound manner. In this setting, our soundness result still applies— 
reduction will not introduce erroneous programs—but it does not 
imply subject reduction: it may happen that after reduction there is 
no way to redecorate the residual program with explicit coercions 
to make it well-typed. This seems the price to pay for the generality 
offered by our approach. 

There is a large degree of freedom in the design of such a sur¬ 
face language for F cc : it is always possible to be fully explicit by 
introducing term syntax for describing typing derivations in source 
terms, hence turning type inference into an easy checking process. 
However, this would not only contain type annotations but also full 
construction of coercions (information which is typically inferred 
in languages such as F<:) and of their coherence proofs (informa¬ 
tion which is usually obtained by construction). Programming at 
this level of detail would be too cumbersome for the programmer. 
Therefore, partial type inference techniques should be used so that 
sufficient type and coercion information can be reconstructed, but 
new approaches may be needed. 

6.4 Extensions and variations 

Higher-order types We introduced F cc as an extension of Sys¬ 
tem F, thus restricting ourselves to second-order polymorphism. 
We have verified that our approach extends with higher-order types 
as in F w . 

Intersection types It should also be possible to add intersec¬ 
tion types. (Our semantics already has them.). Following the work 
of |Wells and Haack] < [2002| ) on branching types, it would then be 
interesting to have intersection types as branching typings. 

Existential types We haven’t included primitive existential types 
in F cc but instead used their standard CPS encoding into universal 
types. Adding primitive existential types would also be interesting 
but not immediate. This is not so surprising as the combination of 
existential types with full reduction is known to raise difficulties. 
A solution we have started to investigate is to use a reduction 
strategy equivalent to full reduction but where only terms starting 
with a constructor are substituted. This relates to existing calculi 
with explicit substitutions and generalizes call-by-need calculi to 
full reduction. 

Side effects We have studied a calculus of coercions in an ideal 
theoretical setting, but we do not foresee any problem in applying 
this to a real programming language with impure features such as 
side effects. We are not bound to full reduction, but on the opposite 
have all the freedom to choose weak reduction strategies for term 
abstractions. In the presence of side-effects, we would need a form 
of value-restriction, allowing type and coercion abstractions only 
on value forms. We do not expect this to raise new problems with 
coercions—nor do we expect them to disappear! 

Conclusion 

Generalizing the notion of type coercions to typing coercions, 
we have proposed a type system where the distinction between 
the computation and the typing aspects of terms have been com¬ 
pletely separated. Our apporach subsumes many features of ex¬ 
isting type systems including subtyping, bounded quantification, 
instance bounded quantification, and subtyping constraints. 

The soundness of our calculus has been proved using the step- 
indexed semantics technique which we have adapted to work for 
calculi with full reduction, just for our needs—but it would be 
worth exploring this further. 

As for coercions, several research directions are worth pursing: 
the treatment of incoherent coercion abstraction to recover con¬ 


fluence; variations on coercion constraints allowing closed-world 
views; or new type system features such as dependent types. 

A prerequisite for using F cc in practice is finding a good surface 
language with explicit coercions annotations and sufficient type 
inference. Meanwhile, F cc can still be used to explore (and perhaps 
simplify) languages with explicit type systems as long as their 
implicitly typed version is a subset of (some easy extension of) F cc . 
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